{ "name": "npm Packages Hit with TeamPCP-Style CanisterWorm Malware", "slug": "npm-packages-hit-with-teampcp-style-canisterworm-malware", "description": "Malicious npm packages associated with Namastex.ai were compromised with malware exhibiting tradecraft similar to TeamPCP's CanisterWorm campaign. The attack targeted packages including @automagik/genie and pgserve, implementing install-time execution that harvests credentials, environment variables, SSH keys, cloud credentials, browser data, and crypto-wallet artifacts. The payload exfiltrates stolen data to both a conventional webhook at telemetry.api-monitor.com and an Internet Computer Protocol canister endpoint. It incorporates self-propagation logic to compromise additional npm packages using stolen publishing tokens and includes cross-ecosystem spreading capabilities targeting PyPI. The malware uses hybrid encryption with RSA and AES-256-CBC for data exfiltration. Multiple package namespaces were affected, suggesting shared infrastructure or coordinated compromise across publisher accounts.", "published": "2026-04-22T16:22:18.872000+00:00", "created_at": "2026-04-27T14:36:32.635000+00:00", "modified_at": "2026-04-27T12:36:32+00:00", "created_at_opencti": "2026-04-27T14:36:32.635000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "canisterworm", "credential theft", "icp canister", "npm", "pypi", "self-propagating", "supply chain attack", "worm" ], "tags": [ "2026-04-22", "canisterworm", "credential-theft", "icp canister", "npm", "pypi", "self-propagating", "supply chain attack", "worm" ], "related_entities": { "indicators": [ { "id": "1b15674b-d04d-4712-9168-d0a755c7ac2e", "name": "https://telemetry.api-monitor.com/v1/telemetry'" }, { "id": "4cbf79f8-1c6a-4201-bf10-ec8b3bafab60", "name": "87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e" }, { "id": "300fdc49-427a-4c1c-a5e6-1dac2a6cd4dd", "name": "834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812" }, { "id": "ae2a485b-7b2c-405f-a570-8e5e7c44d961", "name": "cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io" }, { "id": "bf28a72e-322b-4e2c-a8dc-b4f9871688e7", "name": "https://telemetry.api-monitor.com/v1/drop" }, { "id": "253f8a5a-efc4-466f-adff-fe9c8cc55866", "name": "https://telemetry.api-monitor.com/v1/telemetry" }, { "id": "f3dee263-28d6-470c-b074-771e6e1192c3", "name": "c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839" }, { "id": "43e7490e-0f59-4119-9062-df3b78ed7fbe", "name": "http://cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io/drop" }, { "id": "6ba93873-ea0d-48c4-ba68-712d4af5a244", "name": "telemetry.api-monitor.com" } ], "intrusion_sets": [ { "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa", "name": "TeamPCP", "slug": "teampcp" } ], "attack_patterns": [ { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "ef72da1d-2eaa-4d94-8913-06978609cfb4", "name": "T1608.001" }, { "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9", "name": "T1552.001" }, { "id": "9f21708c-24b6-46b5-bf7e-522256e8470c", "name": "T1552.004" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4", "name": "T1195.002" }, { "id": "0b534d7b-0850-41a7-9bc5-f2e6162eea42", "name": "T1195.001" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "704fe1b3-c63d-4252-a6a7-0dd06b9c5014", "name": "T1546.015" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "malware": [ { "id": "dcf681d8-8252-437d-80a9-19a85cfae812", "name": "CanisterWorm", "slug": "canisterworm" } ], "observables": [ { "id": "ede2ca07-2dc8-4ab7-a2e9-ec37bad961cb", "name": "telemetry.api-monitor.com" }, { "id": "eac90128-d861-48f0-be4b-4df317a0e1ae", "name": "cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io" }, { "id": "26dcf3d9-756a-489f-af94-a195565cdb25", "name": "https://telemetry.api-monitor.com/v1/telemetry'" }, { "id": "ced7a7e9-fb25-4d3d-95ad-8a977bc6a4a6", "name": "https://telemetry.api-monitor.com/v1/drop" }, { "id": "d58ef316-5825-4919-a462-5825ddb7f08b", "name": "https://telemetry.api-monitor.com/v1/telemetry" }, { "id": "7ccac4a8-4792-40bc-a6cf-f31cbb8a3412", "name": "http://cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io/drop" }, { "id": "", "name": "87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e" }, { "id": "", "name": "834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812" }, { "id": "", "name": "c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839" } ], "others": [ { "id": "", "name": "Technology" }, { "id": "", "name": "cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io" }, { "id": "", "name": "telemetry.api-monitor.com" } ] }, "external_refs": [ { "id": "0f20bd46-8c5e-42aa-8e9e-b8330aa68cdc", "standard_id": "external-reference--3de11f50-dc1b-5ea7-a229-4e3b94ae0e67", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69e8f5ba273a5389cb4d03f5", "hash": null, "external_id": "69e8f5ba273a5389cb4d03f5", "created": "2026-04-27T14:36:32.213Z", "modified": "2026-04-27T14:36:32.213Z", "createdById": null }, { "id": "bb5b3c41-78ff-41e0-b0db-980d51c3bbd4", "standard_id": "external-reference--fcd1b86a-686e-5102-8a1f-dab821d0d3c8", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm", "hash": null, "external_id": null, "created": "2026-04-27T14:36:32.335Z", "modified": "2026-04-27T14:36:32.335Z", "createdById": null } ] }